Hi, I've never been a Windows user, but I'm curious to see how the AD integration works in Linux, since it looks like we may need to have one or two Windows desktops and I don't realy want to start setting up Windows infrastructure. If I can have Samba as a domain controller that makes things a lot simpler. I have one question tho, the documentation suggests using the Microsoft tools to administer the domain... is there any equivalent on Linux for doing this? I'd hate to have to install a Windows machine simply to administer a Samba domain controller that was set up to avoid having to install Windows infrastructure. If Windows is required, what's the minimum installation/setup to correctly administer a Samba domain, I guess I could run something in Virtualbox to achieve this. -- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Hi James, We use Samba 4.2 DCs and have Linux talking to the DC fine. This is using Kerberos via SSSD on CentOS 6 and various Fedoras - Password expiry works, nested Groups work, Sudo rules and Netgroups can be placed inside the AD tree as well. A combination of the samba-tool command and pdbedit can achieve most things, however you will still need the Windows Management tools to interact with the Windows side of things, for example Group Policy Management. The ADUC tools are also very useful for visualising your LDAP tree and moving things around. Our internal documentation also says you need to use the ADUC tools to add UNIX Attributes to a Security Group. There might be a way to do it on the command line but none of us have seemed to have bothered to figure it out :-) I would recommend a single Windows Server (2012) with the ADUC tools installed for management (you could probably get by with Win8.1 but Server is less "graphical"). The server just needs to be joined to your domain, it doesn't need to be DC as well. Then just install the "AD Management Tools" role and you should be set. I do not recommend other Linux based LDAP management tools, eg: LAM (https://www.ldap-account-manager.org/lamcms/). Our staff are under strict instructions only to use LAM for Netgroup management. You can create users and groups in LAM that badly break things on the AD side, like not creating the correct password expiry attributes. -Luke ----- Original Message ----- From: "A. James Lewis" <james at fsck.co.uk> To: samba at lists.samba.org Sent: Tuesday, 5 May, 2015 12:32:34 PM Subject: [Samba] Managing Samba Active directory. Hi, I've never been a Windows user, but I'm curious to see how the AD integration works in Linux, since it looks like we may need to have one or two Windows desktops and I don't realy want to start setting up Windows infrastructure. If I can have Samba as a domain controller that makes things a lot simpler. I have one question tho, the documentation suggests using the Microsoft tools to administer the domain... is there any equivalent on Linux for doing this? I'd hate to have to install a Windows machine simply to administer a Samba domain controller that was set up to avoid having to install Windows infrastructure. If Windows is required, what's the minimum installation/setup to correctly administer a Samba domain, I guess I could run something in Virtualbox to achieve this. -- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works." -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba --- LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN http://www.LMAX.com/ --- #1 Fastest Growing Tech Company in UK - Sunday Times Tech Track 100 (2014) Awards 2015 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards 2014 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards 2014 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards 2014 Best Infrastructure/Technology Initiative - WSL Institutional Trading Awards 2013 #15 Fastest Growing Tech Company in UK - Sunday Times Tech Track 100 2013 Best Overall Testing Project - The European Software Testing Awards 2013 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards 2013 Best FX Trading Platform - ECN/MTF - WSL Institutional Trading Awards 2013 Best Executing Venue - Forex Magnates Awards 2011 Best Trading System - Financial Sector Technology Awards 2011 Innovative Programming Framework - Oracle Duke's Choice Awards --- FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. This message and its attachments are confidential, may not be disclosed or used by any person other than the addressee and are intended only for the named recipient(s). This message is not intended for any recipient(s) who based on their nationality, place of business, domicile or for any other reason, is/are subject to local laws or regulations which prohibit the provision of such products and services. This message is subject to the terms at http://www.lmax.com/pdf/general-disclaimers.pdf however if you cannot access these, please notify us by replying to this email and we will send you the terms. If you are not the intended recipient, please notify the sender immediately and delete any copies of this message. LMAX Exchange is the trading name of LMAX Limited. LMAX Limited operates a multilateral trading facility. LMAX Limited is authorised and regulated by the Financial Conduct Authority (firm registration number 509778) and is a company registered in England and Wales (number 6505809). LMAX Hong Kong Limited is a wholly-owned subsidiary of LMAX Limited. LMAX Hong Kong is licensed by the Securities and Futures Commission in Hong Kong to conduct Type 3 (leveraged foreign exchange trading) regulated activity with CE Number BDV088.
Great summary from Luke, but I would add a couple of things:> A combination of the samba-tool command and pdbedit can achieve most > things...Our internal documentation also says you need to use the ADUC > tools to add UNIX Attributes to a Security Group. There might be a way > to do it on the command line but none of us have seemed to have bothered > to figure it out :-)I though pdbedit was only for non-active directory setups? However, it's easy to add attributes to a user manually with ldbedit or via script with ldbmodify. There are also samba-tool options to add most of the common ones at user creation time. See "samba-tool user add --help".> I would recommend a single Windows Server (2012) with the ADUC tools > installed for management (you could probably get by with Win8.1 but > Server is less "graphical").I would recommend not wasting your money on Windows Server, as the ADUC tools are identical between server and desktop versions of windows.
Hmm, thanks to all who replied... you've actually made me think of another question... I gues it's a bit odd on this list to see someone who's looking at using AD that doesn't know anything about it... last time I was tempted down the Windows path it was Win9x. Anyway, you mentioned "netgroup management", which makes me wonder if the other NIS style maps can be hosted in AD, such as autofs maps.. is there any guide for how to do that. I guess it's a shame there's no native GUI for doing this since Microsoft's directory management stuff does seem to be rather ubiquitous and perhaps if it can support all the maps we would want in Unix then we could leverage that... James On 05/05/15 13:14, Luke Bigum wrote:> Hi James, > > We use Samba 4.2 DCs and have Linux talking to the DC fine. This is using Kerberos via SSSD on CentOS 6 and various Fedoras - Password expiry works, nested Groups work, Sudo rules and Netgroups can be placed inside the AD tree as well. > > A combination of the samba-tool command and pdbedit can achieve most things, however you will still need the Windows Management tools to interact with the Windows side of things, for example Group Policy Management. The ADUC tools are also very useful for visualising your LDAP tree and moving things around. Our internal documentation also says you need to use the ADUC tools to add UNIX Attributes to a Security Group. There might be a way to do it on the command line but none of us have seemed to have bothered to figure it out :-) > > I would recommend a single Windows Server (2012) with the ADUC tools installed for management (you could probably get by with Win8.1 but Server is less "graphical"). The server just needs to be joined to your domain, it doesn't need to be DC as well. Then just install the "AD Management Tools" role and you should be set. > > I do not recommend other Linux based LDAP management tools, eg: LAM (https://www.ldap-account-manager.org/lamcms/). Our staff are under strict instructions only to use LAM for Netgroup management. You can create users and groups in LAM that badly break things on the AD side, like not creating the correct password expiry attributes. > > -Luke > > ----- Original Message ----- > From: "A. James Lewis" <james at fsck.co.uk> > To: samba at lists.samba.org > Sent: Tuesday, 5 May, 2015 12:32:34 PM > Subject: [Samba] Managing Samba Active directory. > > > Hi, > > I've never been a Windows user, but I'm curious to see how the AD > integration works in Linux, since it looks like we may need to have one > or two Windows desktops and I don't realy want to start setting up > Windows infrastructure. If I can have Samba as a domain controller that > makes things a lot simpler. > > I have one question tho, the documentation suggests using the Microsoft > tools to administer the domain... is there any equivalent on Linux for > doing this? I'd hate to have to install a Windows machine simply to > administer a Samba domain controller that was set up to avoid having to > install Windows infrastructure. > > If Windows is required, what's the minimum installation/setup to > correctly administer a Samba domain, I guess I could run something in > Virtualbox to achieve this. >-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
Replying back to the list :-) The Sudoers functionality is achieved by modifing the Samba schema, the sudo package itself distributes the schema change LDIF: $ rpm -ql sudo | grep schema /usr/share/doc/sudo/schema.ActiveDirectory /usr/share/doc/sudo/schema.OpenLDAP /usr/share/doc/sudo/schema.iPlanet Technically if you could find the correct schema to store autofs data in AD then it should work. Red Hat even appear to allow you to specify the LDAP attributes and object classes to use: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s2-nfs-config-autofs-LDAP.html In fact, someone's already got Samba 4 serving automount data: https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions Note the warning at the top of the page. -Luke -- Luke Bigum Senior Systems Engineer Information Systems ----- Original Message ----- From: "A. James Lewis" <james at fsck.co.uk> To: "Luke Bigum" <luke.bigum at lmax.com> Sent: Tuesday, 5 May, 2015 6:33:15 PM Subject: Re: [Samba] Managing Samba Active directory. Hmm, thanks to all who replied... you've actually made me think of another question... I gues it's a bit odd on this list to see someone who's looking at using AD that doesn't know anything about it... last time I was tempted down the Windows path it was Win9x. Anyway, you mentioned "netgroup management", which makes me wonder if the other NIS style maps can be hosted in AD, such as autofs maps.. is there any guide for how to do that. I guess it's a shame there's no native GUI for doing this since Microsoft's directory management stuff does seem to be rather ubiquitous and perhaps if it can support all the maps we would want in Unix then we could leverage that... James On 05/05/15 13:14, Luke Bigum wrote:> Hi James, > > We use Samba 4.2 DCs and have Linux talking to the DC fine. This is using Kerberos via SSSD on CentOS 6 and various Fedoras - Password expiry works, nested Groups work, Sudo rules and Netgroups can be placed inside the AD tree as well. > > A combination of the samba-tool command and pdbedit can achieve most things, however you will still need the Windows Management tools to interact with the Windows side of things, for example Group Policy Management. The ADUC tools are also very useful for visualising your LDAP tree and moving things around. Our internal documentation also says you need to use the ADUC tools to add UNIX Attributes to a Security Group. There might be a way to do it on the command line but none of us have seemed to have bothered to figure it out :-) > > I would recommend a single Windows Server (2012) with the ADUC tools installed for management (you could probably get by with Win8.1 but Server is less "graphical"). The server just needs to be joined to your domain, it doesn't need to be DC as well. Then just install the "AD Management Tools" role and you should be set. > > I do not recommend other Linux based LDAP management tools, eg: LAM (https://www.ldap-account-manager.org/lamcms/). Our staff are under strict instructions only to use LAM for Netgroup management. You can create users and groups in LAM that badly break things on the AD side, like not creating the correct password expiry attributes. > > -Luke > > ----- Original Message ----- > From: "A. James Lewis" <james at fsck.co.uk> > To: samba at lists.samba.org > Sent: Tuesday, 5 May, 2015 12:32:34 PM > Subject: [Samba] Managing Samba Active directory. > > > Hi, > > I've never been a Windows user, but I'm curious to see how the AD > integration works in Linux, since it looks like we may need to have one > or two Windows desktops and I don't realy want to start setting up > Windows infrastructure. If I can have Samba as a domain controller that > makes things a lot simpler. > > I have one question tho, the documentation suggests using the Microsoft > tools to administer the domain... is there any equivalent on Linux for > doing this? I'd hate to have to install a Windows machine simply to > administer a Samba domain controller that was set up to avoid having to > install Windows infrastructure. > > If Windows is required, what's the minimum installation/setup to > correctly administer a Samba domain, I guess I could run something in > Virtualbox to achieve this. >-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works." --- LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN http://www.LMAX.com/ --- #1 Fastest Growing Tech Company in UK - Sunday Times Tech Track 100 (2014) Awards 2015 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards 2014 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards 2014 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards 2014 Best Infrastructure/Technology Initiative - WSL Institutional Trading Awards 2013 #15 Fastest Growing Tech Company in UK - Sunday Times Tech Track 100 2013 Best Overall Testing Project - The European Software Testing Awards 2013 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards 2013 Best FX Trading Platform - ECN/MTF - WSL Institutional Trading Awards 2013 Best Executing Venue - Forex Magnates Awards 2011 Best Trading System - Financial Sector Technology Awards 2011 Innovative Programming Framework - Oracle Duke's Choice Awards --- FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. This message and its attachments are confidential, may not be disclosed or used by any person other than the addressee and are intended only for the named recipient(s). This message is not intended for any recipient(s) who based on their nationality, place of business, domicile or for any other reason, is/are subject to local laws or regulations which prohibit the provision of such products and services. This message is subject to the terms at http://www.lmax.com/pdf/general-disclaimers.pdf however if you cannot access these, please notify us by replying to this email and we will send you the terms. If you are not the intended recipient, please notify the sender immediately and delete any copies of this message. LMAX Exchange is the trading name of LMAX Limited. LMAX Limited operates a multilateral trading facility. LMAX Limited is authorised and regulated by the Financial Conduct Authority (firm registration number 509778) and is a company registered in England and Wales (number 6505809). LMAX Hong Kong Limited is a wholly-owned subsidiary of LMAX Limited. LMAX Hong Kong is licensed by the Securities and Futures Commission in Hong Kong to conduct Type 3 (leveraged foreign exchange trading) regulated activity with CE Number BDV088.